CVSS 10.0 RCE Rocks the Frontend World: React/Next.js Hit by a Log4Shell‑Level Vulnerability?
December 4th, 2025 — A day the frontend ecosystem won’t forget.
If Log4Shell was Java’s nightmare in 2021, then today’s disclosure of CVE‑2025‑55182 (Next.js counterpart CVE‑2025‑66478) marks the darkest hour of the modern React/Next.js full‑stack era.
A CVSS score of 10.0, unauthenticated RCE, and impact across React 19, Next.js 15/16, and any framework implementing React Server Components (RSC).
If you're reading this before coffee:
drop everything and check your versions.
React’s core team has officially confirmed a critical remote code execution vulnerability inside the implementation of React Server Components — and it’s as bad as it sounds.
To understand the issue, we need to understand how RSC moves data.
React Server Components rely on a streaming, JSON‑like protocol called Flight…
( 8
min )